Join today’s leading executives online at the Data Summit on March 9th. Register here.
This article was contributed by Harman Singh, director of Cyphere.
Ransomware is currently one of the most common types of cyberattacks. It’s essential to be aware of the different variations of ransomware and how they can affect businesses, particularly small and midsized enterprises. As such, let’s outline what ransomware is, why it’s so dangerous for business owners, and identify steps that you can take to protect your company against this threat.
What is ransomware?
Ransomware is malware that infects devices and locks users out of their data or applications until a ransom is paid. This is costly for businesses because they may have to pay a large sum of money to regain access to their files. It has been revealed that some users have paid enormous fees to obtain the decryption key. The fees can range from a hundred dollars to thousands of dollars, which are typically paid to cybercriminals in bitcoin.
Examples of ransomware attacks
Some major ransomware attacks include:
A devastating Microsoft exploit was utilized to create a worldwide ransomware virus that infected over 250,000 systems before a kill switch was activated to stop its growth. Proofpoint assisted in locating the sample used to discover the kill switch and in analyzing the ransomware.
CryptoLocker was the first ransomware of this generation to demand Bitcoin for payment and encrypt a user’s hard drive as well as network drives. The CryptoLocker ransomware spread via an email attachment that purported to be FedEx and UPS tracking notifications. In 2014, a decryption tool became available for this malware.
The NotPetya ransomware attack is one of the most harmful techniques. It’s known for corrupting and encrypting the master boot record of Microsoft Windows-based systems. NotPetya is distributed via the same exploit as WannaCry to quickly spread and demand payment in bitcoin to reverse its modifications.
Bad Rabbit was visible ransomware that employed similar code and vulnerabilities to NotPetya, spreading across Ukraine, Russia, and other countries. It primarily targeted Ukrainian media organizations, rather than NotPetya. It was spread via a fraudulent Flash player update that might infect users through a drive-by attack.
History of ransomware
The first ransomware program was distributed in 1989 by the AIDS Information Trojan, which used a modified version of the game “Kukulcan,” disguised as an erotic interactive movie.
In 2006, malware called Gpcode.AG began to appear, which installed browser helper objects and ransom notes through rogue Firefox extensions hosted on sites such as Download.com and Brothersoft.com, as well as through emails with malicious attachments.
In March 2012, police in Southampton, England, arrested two men on suspicion of creating a ransomware program called Reveton. The program was first identified by the Russian security firm Kaspersky Lab, which named it “Icepol.”
In May 2012, Symantec reported they discovered ransomware called “Troj Ransomware,” which encrypted data on victims’ computers and demanded ransom payments in Bitcoin. In August 2013, a ransomware variant of the crypto locker ransomware was discovered that targeted users of Mac OS X.
In December 2013, reports indicated that the ransomware attack had infected more than 16,000 computers in Russia and neighboring countries.
Following that, in January 2014, security researchers reported that a new ransomware program called CryptoLocker was being distributed through emails on a massive scale. The encrypted ransomware files on the infected system and then demanded ransom payments in Bitcoin, to be paid within three days, or the price would double.
Ransomware became extensively popular during 2016, with several new ransomware variants of CryptoLocker being released, as well as numerous other versions appearing over different periods throughout that year.
In May 2017, the WannaCry ransomware cryptoworm assaulted computers running the Microsoft Windows operating systems.
Types of ransomware
There are different types of ransomware, but the most common ones can be broken down into the following categories:
This type of ransomware encrypts files on the victim’s computer and then demands ransom payments to decrypt them.
This type of ransomware displays a screen that locks the victims out of their computers or mobile devices and then demands ransom payments to unlock it.
This type of ransomware is a version of “ransomware” that encrypts files on the hard drive of an infected mobile phone or tablet computer. Once the ransom payment has been paid, the victims can regain access to their devices.
This type of ransom malware does not encrypt files on the victim’s computer, but instead uses a botnet to bombard servers with so much traffic that they cannot respond.
RaaS is apparently the latest business model for cybercriminals. It allows them to create their own ransomware and then either use it themselves or sell it to other parties who can execute cyberattacks.
How do ransomware attacks work?
There are different ways that it can infect a computer, but the most common way is through emails with malicious software or attachments. The ransomware virus will be attached to an email as an executable file (such as .exe or .com), and when the victim opens the email, it will automatically run on their computer.
Once, the virus has infected a computer, it will typically:
- Encrypt files on the victim’s hard drive.
- Display a ransom note that demands payment to decrypt them (or demands ransom payments in another form). The ransom note may also provide decryption information and instructions if they type “DECRYPT” or “UNLOCK.” Some ransomware programs do not provide this information.
- Disable system functions such as the Windows Task Manager, Registry Editor and Command Prompt.
- Block access to malicious websites that provide information on how to remove ransomware or decrypt files without paying the ransom.
Who is a target for ransomware attacks?
Ransomware threats are becoming increasingly common, and ransomware attackers have a variety of options when it comes to selecting the organizations they target.
Occasionally, it’s simply a matter of chance: attackers may choose universities since they frequently have smaller security teams and a diverse user base that does a lot of file-sharing of research data, student information, and other Person Identifiable Information (PII) from staff, students, and researchers.
Similarly, government agencies and hospitals tend to be frequent targets of ransomware, as they typically need immediate access to their documents. This means they’re more likely to pay the ransom.
For example, law enforcement firms and other businesses with sensitive data may be willing to quickly pay money to keep information on a data breach secret, which means these businesses may be particularly susceptible to leakware assaults. Leakware attacks use malware designed to extract sensitive information and send it to attackers or remote instances of malware.
How to prevent ransomware attacks
There are different ways that a person can protect their computer from ransomware or block ransomware, and the best way to prevent a ransomware attack is to be prepared.
Follow the points below to prevent ransomware:
- Back up your files regularly — this will help ensure that you don’t lose your data if it is encrypted by ransomware.
- Ensure that your antivirus software is updated frequently.
- Change the passwords for your important accounts regularly and use a strong, unique password for each of them (or use a recommended password generator). Password managers should be mandatory to generate and store sensitive information securely.
- Never share any passwords with anyone, or write them down where others could find them. Passwords should be at least 16 characters long, including upper and lowercase letters, numbers, and symbols.
- Be cautious when you’re opening emails, and never open a malicious attachment from unknown senders. If you are uncertain whether an email is legitimate, contact the company directly to verify its authenticity.
- Disable macros in Microsoft Office programs.
- Install security software that can help protect your computer from ransomware attacks.
A strategic recommendation would be to ensure that people, processes, and technological controls work together. Principles such as the principle of the least privilege (PoLP), defense in-depth, and secure multilayered architecture are some basics to achieve such changes. Regular penetration testing helps an organization to see its blind spots and ensure all risks are identified and analyzed before risk mitigation is exercised.
Ransomware infections are sophisticated for general users; it will not be mathematically possible for anyone to decrypt these infections without access to the key that the attacker holds.
Harman Singh is the director of Cyphere.